online banking lawsuit

February 16, 2010

Populist Politics

The web changes how public disputes are contested. Inexpensive web 2.0 publicity disrupts the balance of power.

Internet Bank Robbery - The Facts

After computer thieves stole [Krebs] $200,000 from the bank account of Hillary Machinery Inc., the company demanded reimbursement from its bank, PlainsCapital Bank. The bank refused. Thus began one of the most gripping cases in the history of computer security law . . . and a lesson in how to use the Internet as a populist podium . . .

Apparently the investigation of the heist has not determined conclusively how the hackers succeeded in tricking the bank to transmit money out of the account. Each party believes the forensic investigation proves it is blameless.

The Law On Internet Bank Robberies

The legal relationship between Hillary and the bank is largely governed by Uniform Commercial Code Article 4A and the banking agreements signed between the parties. In a case like this, an essential issue is whether the bank employed commercially reasonable security procedures when it acted upon what purported to be electronic payment instructions from Hillary. The bank maintains that its security was reasonable, and therefore it need not reimburse the money.

As this dispute escalated, Hillary might have sued, possibly in Texas state court or possibly in federal court.

But the bank seized the legal initiative. It sued Hillary in federal court! The bank may have calculated that a federal court would review this complex, technical case more thoughtfully than a state court. So it preempted from Hillary the option to sue in state court.

From the federal court, the bank seeks an affirmation that its security was reasonable. In essence, the bank said Hillary had called into question the integrity of the bank's operations, and the bank is entitled to clear its name by way of litigation.

The bank is forcing Hillary to spend money on lawyers, quite possibly hoping Hillary will decide this quarrel is too expensive, too much trouble and will settle and shut up. From the perspective of traditional litigation strategy, the bank is probably in a stronger position because it can afford to spend much more on lawyers and technical experts to fight the case.

Internet as Populist Bullhorn

This is an unusual lawsuit. But it has taken an even more remarkable twist. Instead of cowering, Hillary has gone on the publicity warpath. On its primitive web page, Hillary complains noisily about the bank and its security.

It started working with other interested and knowledgeable parties, and is shouting from the virtual rooftops, “Can you believe this? Hackers stole $200,000 from my bank account, and then my bank sued ME!” That's one newsy sound bite.

Hillary has attracted quite a few news stories (including in the Dallas Morning News and the Denver Post), much of it favorable to Hillary. The most sensational is a TV report on Fox Business, which is posted on the web. Hillary of course points to many of these reports from its web site.

What's more, Hillary affiliates appear to be posting pointed comments on web discussion threads. When a popular Dallas news blog wrote an unrelated story about PlainsCapital, someone apparently associated with Hillary posted a comment saying (paraphrase) “Thieves stole money from our PlainsCapital account, and then PlainsCapital hauled us into court!” linking to the Fox Business video. [Another example: see the second comment, from Amanda, below this post.]

Someone who appears to be the spouse of a Hillary co-owner vocally discusses the case in an online forum, complaining about the bank and pointing to the media reports.

This controversy between Hillary and the bank now dominates the Wikipedia page about the bank. Can this be good for the bank?

In the public comments to a key blog article on the lawsuit, one observer sympathetic to Hillary finds that the bank has published a job posting for a wire transfer risk specialist. The observer suggests, yeah, they need someone with those skills! The actions of this "observer" (Is he or she affiliated with Hillary? A volunteer? Who knows.) give the impression that the public is rallying to Hillary's aid.*

The bank hasn't said much to defend itself in public. The bank's tight-lipped approach (“our lawsuit speaks for itself”) hasn't played well. There is no way all this chatter on the web has been good for the bank's reputation. The damage to the bank's image could far exceed $200,000.

Hillary is a reasonable-size mom and pop business ($35 million in 2008 annual sales). PlainsCapital ($4.4 billion in assets) is much larger. The bank's old-style approach – let our lawyers do our talking – seems to have enabled populist underdog Hillary to land some blows on its opponent.

Although many details about this case are known to the public, many are not. We don't know, for instance, everything about the security or insecurity of Hillary's computers or whether the bank had offered Hillary some additional security procedures that Hillary declined to use. (An example of additional security might be sms text messages to cell phones of Hillary officials as each and every event transpires within the bank account.) The bank may have a stronger story here than it has revealed so far.

Cyber Publicity is Faster Than a Lawsuit

But as things are going now, the bank may not have a good chance to tell its side of this cybertheft story. Internet-driven public opinion may solidify long before the bank can explain.

Talking on the web (Hillary's approach) is fast and cheap. Talking through lawyers in the courtroom (the bank's approach) is slow and expensive.

Publicity is different today than it was a few years ago. In the past, an unflattering report might appear on TV or in a newspaper, and then it was gone and few would remember. But media reports today live persistently on the web. Months-or-years-old reports can show up when prospective customers google “PlainsCapital Bank.”

This squabble is not over. But as of February 16, 2010, little Hillary seems to have exploited the web as an asymmetrical weapon against a larger adversary.

Update: Resolution May 2010

Hillary and Plainscapital settled their their lawsuit, and agreed to keep the terms confidential. The settlement came two days after the court rejected motions by Plainscapital that the case go to arbitration; Plainscapital apparently wanted arbitration because it felt a public trial was less likely to deliver it a net benefit. It is hard for me to conclude that this lawsuit was good for Plainscapital. The bank started the lawsuit. The bank's apparent goal was to clear its name and reputation. The bank did not achieve its goal.

–Benjamin Wright

Mr. Wright teaches IT security law at the SANS Institute, where he stresses how critical public communications (policies, notices, banners, warnings, contracts, subpoenas, interviews, social media, press releases, declarations in court and much more) are to effective cyber defense, negotiations and investigations.

* Gadzooks. Notice how easily a grumpy member of the public was able to dig up a choice detail about PlainsCapital (its job posting for a risk specialist) and link to it from a well-trafficked location with an unfavorable comment. The world did not operate this way a few years ago. Organizations like PlainsCapital live in more of a fishbowl today than they once did. Organizations must re-calibrate how they make and maintain their public images.

[Note: Since I originally posted this article, Hillary Machinery and its affiliates have contacted me and asked that I correct a couple of factual errors. Based on what they said and what I read elsewhere on the web, I have revised my article here. If anyone believes that I have made a mistake here or any other place, I ask that person to telephone me promptly at 1.214.403.6642.]

The World Wide Web is changing contract and commercial law practices. As a global medium for broadcasting terms, notices, conditions, and disclaimers, the web empowers business innovators preemptively to warn their trading partners of risk and to disclaim responsibility to prospective counterparties. Business innovators might therefore use the web to reduce their legal risk.

This blog post presents an advanced idea. To explain it will require space, so please hang with me as I lay out my argument. First I will explain how forward-thinking traders like hedge funds can be exposed to new legal liability. Then I will explain a method for containing that exposure, a method that could apply to more than just hedge funds and financial markets.

The legal desire to warn others and disclaim liability is acute in the cutthroat world of financial derivatives and structured finance. Derivatives (which are fueled by efficient digital technology), especially credit default swaps (CDS), allow aggressive traders to assume unconventional, counterintuitive positions – positions that may surprise and even anger other parties. Three examples:

1. George Soros says some of the bondholders in the AbitibiBowater and General Motors bankruptcies perversely preferred to dissolve the companies rather than reorganize them on account of the bondholders’ positions in credit default swaps. “CDS are instruments of destruction that ought to be outlawed,” he proclaimed (emphasis added). Further, to hold both a bond and a corresponding CDS simultaneously “is like buying life insurance on someone else’s life and owning a license to kill him.” George Soros, “My three steps to financial reform,” Financial Times, June 17, 2009.

2. Some analysts complain about a Fidelity mutual fund that simultaneously held both bonds issued by the distressed Six Flags company and hedged CDS positions relative to those bonds. According to the analysts, the mutual fund turned down a reasonable restructuring offer for the Six Flags company. Strangely, the mutual fund preferred that Six Flags sink into bankruptcy where bondholders as bondholders would receive less. The Economist magazine goes on to observe, “By purchasing a material amount of a firm’s debt in conjunction with a disproportionately large number of CDS contracts, rapacious lenders (mostly hedge funds) can render bankruptcy more attractive than solvency.” “CDSs and bankruptcy: No empty threat,” The Economist, June 20, 2009, p. 79 (emphasis added to highlight that the Economist thinks the mutual fund's behavior was bad and presumably should be punished).

3. Amherst Holdings, a Texas investment firm, “ambushed” some big banks. The banks were counterparties to which Amherst had sold CDSs so that the banks could hedge their losses on bonds they owned representing defaulting mortgages. From the sale of the CDSs, Amherst and its associates earned multimillion dollar fees from the banks. Under the terms of the CDSs, team Amherst would have to pay handsomely as the losses from the defaulting mortgages were allocated under the bonds to the banks. But then Amherst executed a maneuver that prevented the banks from collecting under the CDSs. It used a little-known legal loophole to arrange (with the party that services the bonds) for the bonds to be paid in full! The banks were not prepared for this scenario. The result was that team Amherst did not have to pay as expected under the CDSs. On balance, Amherst made money, and the banks lost the substantial fees they had paid team Amherst for the CDSs. Some of the banks have complained to industry trade associations that Amherst acted improperly. Zuckerman, Ng & Rappaport, “A Daring Trade Has Wall Street Seething,” Wall Street Journal, June 12, 2009. Deutsche Bank averred that a maneuver like Amherst’s might be illegal.

In each of these three stories, counterparties or other investors felt the successful traders had acted unfairly, possibly deceptively and perhaps even illegally.

When large sums of money are lost unexpectedly, losers are prone to seek legal or political redress. They might try to claim, for example, that they were victims of fraud or that they were entitled to more disclosure of the other party’s intention, position, or strategy.

But in anticipation of the possibility of such legal claims, unconventional traders might take steps long in advance. They might pre-empt such claims by issuing a general warning and disclaimer. They might conspicuously publish on their Web pages a notice like this:

“Notice. This is notice published by ABC Hedge Fund (the “Fund”) to the attention of any party that may have a direct or indirect relationship to the Fund’s investments, including but not limited to an investor, a counterparty or the issuer of debt, equity or other rights, interests or securities. Please be advised that the Fund may assume or take advantage of innovative, unconventional or surprising positions. While the Fund shall always stay in full compliance with all applicable laws, please be alert that the Fund may aggressively pursue trading or investment strategies that are novel or counterintuitive. Except to the extent the Fund otherwise explicitly agrees in writing, the Fund disclaims responsibility to (a) inform others of its intentions, trading positions or investment strategies, or (b) look out for the interests of others or divine their intentions, strategies or expectations.”

Publication of such a notice/disclaimer would create electronic records suggesting that prospective “victims” had been warned in advance.

How effective might such a notice be? Although the legal effect of any kind of disclaimer can rarely be certain for all circumstances, support is growing for the proposition that general-distribution legal notices can be delivered by way of publication on the web. Observe four angles on the topic: